PKI Contacts PKI for Fraunhofer Contacts

Similar documents
INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

How to Import a Certificate When Using Microsoft Windows OS

Guide Installation and User Guide - Mac

SECARDEO. certbox. Help-Manual. Secardeo GmbH Release:

Access to RTE s Information System by software certificates under Microsoft Windows 7

USER MANUAL FOR SECURE E MAIL MICROSOFT OUTLOOK (2003)

Guide Installation and User Guide - Windows

IceWarp SSL Certificate Process

Automated Court Reporter Application. Digital Signatures

Question: How do I move my mobile account from the Corporate to my Personal Account?

KeyA3 Certificate Manager

Key Management and Distribution

Digital Certificate Service (DCS) - User Guide

LAB :: PGP (Pretty Good Privacy)

Guide Installation and User Guide - Linux


Access to RTE s Information System by software certificates under Microsoft Windows Seven

PURCHASING AND USING A PERSONAL SECURE CERTIFICATE. Document issue: 12.1 Date of issue: March 2017

USER GUIDE WWPass Security for (Thunderbird)

راهنماي استفاده از توکن امنيتي کيا 3 در نرمافزارهاي مبتني بر PKI توکن امنيتي سخت افزاري

Dohatec CA. Export/Import Procedure etoken Pro 72K FOR USERS OF ETOKENS [VERSION 1.0]

Odette CA Help File and User Manual

Registration and Renewal procedure for Belfius Certificate

FedLine Web Certificate Retrieval Procedures

Enterprise Services. Activation of the Enterprise Services

RB Digital Signature Proxy Guide for Reporters

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

bbc Migrating and Sharing Secuity Settings: Using Security Settings Import/Export and FDF Files Acrobat and Adobe Reader PDF Creation Date:

Certification Authority

QUICK SET-UP VERIFICATION...3

Client Configuration Guide

Internet Explorer/ Edge/ Chrome/ Opera (Windows) Edition

Using SSL to Secure Client/Server Connections

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

Managing Certificates

FUJITSU Cloud Service S5. Introduction Guide. Ver. 1.3 FUJITSU AMERICA, INC.

SafeGuard Enterprise user help. Product version: 8.0

Exostar LDAP Proxy/Secure Setup Guide September 2017

Registration and Renewal procedure for Belfius Certificate

SIMATIC. SIMATIC Logon V User management and electronic signatures 1. Hardware and Software Requirements 2. Scope of delivery 3.

Configuring SSL CHAPTER

CERTIFICATE POLICY CIGNA PKI Certificates

FedLine Web Customer Certificate Contingency Procedures

Content and Purpose of This Guide... 1 User Management... 2

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

This help covers the ordering, download and installation procedure for Odette Digital Certificates.

Configuring Certificate Authorities and Digital Certificates

Certificate Retrieval Procedures

SSH Communications Tectia SSH

Using SSL/TLS with Active Directory / LDAP

Send documentation comments to

Schneider Electric License Manager

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

IBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide

Accessing the Ministry Secure File Delivery Service (SFDS)

Message Networking 5.2 Administration print guide

SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN 1

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

SafeGuard Enterprise. user help. Product Version: 8.1

Comodo Secure . User Guide Guide Version i. Software Version 2.6

PST for Outlook Admin Guide

GroupWise Web Access 7.0

CertAgent. Certificate Authority Guide

Jumble Encryption for Microsoft Outlook

Wavecrest Certificate SHA-512

YubiHSM 2 for ADCS Guide. Securing Microsoft Active Directory Certificate Services with YubiHSM 2

SIMATIC. SIMATIC Logon V1.6. Security information 1. Conditions for secure operation of SIMATIC Logon 2. User management and electronic signatures 3

MAGNUM-SDVN Security Administration Manual

UCON-IP-NEO Operation Web Interface

EPS Electronic Paper System CIMAC Congress 2019

Configuring SSL. SSL Overview CHAPTER

Windows Smart Card Logon Use Case

SMKI Code of Connection

FUJITSU Cloud Service S5 Certificate Management

CertAgent. Certificate Authority Guide

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Using digital certificates in Microsoft Outlook

Common Access Card for Xerox VersaLink Printers

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

EID/ERESIDENCE CARD MIDDLEWARE

Isograph Software Products

CipherMail encryption. CipherMail white paper

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

User Manual of Webmail Version 5

Certificate-based authentication for data security

NoSpamProxy 12.2 Outlook Add-In User Manual. Protection Encryption Large Files

Document Signing Certificate Getting Started Guide

How to Configure SSL Interception in the Firewall

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

CERN Certification Authority

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

TFS WorkstationControl White Paper

Schneider Electric Floating License Manager

Configuring SSL. SSL Overview CHAPTER

Sending Secure and Encrypted Messages with GroupWise 6.5: User s Guide

VMware AirWatch Integration with RSA PKI Guide

VII. Corente Services SSL Client

TAX REPORTING SUITE MODULE IDES VERSION 1712

Security Cooperation Information Portal

Transcription:

Fraunhofer Competence Center PKI PKI Contacts PKI for Fraunhofer Contacts User manual for communication partners of the Fraunhofer-Gesellschaft Author[s]: Uwe Bendisch, Maximilian Gottwald As at: 03.02.2017 Version 1.1

Document history Document history: VERSION DATE MODIFICATIONS AUTHOR 1.1 03.02.2017 Revisions to section 4, 4.1.2, 4.1.2.1 and 4.1.2.2 UB 1.0 23.01.2014 Final review UB 0.9 15.10.2013 Creation of German version with English screen shots MG, UB Mailing list/target group: This document is aimed at those communications partners of the Fraunhofer-Gesellschaft who wish to use certificate-based authentication to protect their e-mail correspondence with Fraunhofer-Gesellschaft employees and who do not yet possess certificates for the purpose. Remarks/notes: This document has been put together with great care and attention to detail, but sadly this does not guarantee the absence of errors. Liability can be accepted neither for any errors that may occur nor for their possible consequences. Please feel free to inform the CC-PKI of any comments or requests for changes to the document by e-mailing the Fraunhofer service desk at servicedesk@fraunhofer.de. We will do our very best to take up every good idea we receive and to implement your suggested improvements. Internal information: File name: PKI-Contacts_Anleitung_Extern_EN (V 1.1).docx Time: 03.02.2017 Editor: Uwe Bendisch

Contents Contents Introduction... 1 1 Obtaining a Fraunhofer employee s certificate... 2 1.1 Receiving a certificate by e-mail... 2 1.2 Downloading a certificate from the PKI Contacts website... 2 2 Requesting your own personal certificate... 6 2.1 Requesting your own personal certificate with Microsoft Internet Explorer... 7 2.2 Requesting your own personal certificate with Mozilla Firefox... 10 3 Exporting your own personal certificate from the browser... 14 3.1 Exporting your own personal certificate from Microsoft Internet Explorer... 14 3.2 Exporting your own personal certificate from Mozilla Firefox... 22 4... 26 4.1 Preparing the e-mail client to use certificates... 26 4.1.1 Integrating the PKI for Fraunhofer Contacts root certificate... 26 4.1.1.1 Incorporating the PKI for Fraunhofer Contacts root certificate into the Microsoft certificate store... 28 4.1.1.2 Incorporating the PKI for Fraunhofer Contacts root certificate into the Mozilla Thunderbird certificate manager... 31 4.1.2 Integrating the PKI for Fraunhofer Employees root certificates / certificate chains... 33 4.1.2.1 Incorporating the PKI for Fraunhofer Employees root certificates / certificate chains into the Microsoft certificate store... 35 4.1.2.2 Incorporating the PKI for Fraunhofer Employees root certificates / certificate chains into the Mozilla Thunderbird certificate manager... 36 Version 1.1 03.02.2017 i

Contents 4.2 Incorporating your own personal certificate into the e-mail client... 36 4.2.1 Incorporating your own personal certificate into the Microsoft certificate store... 36 4.2.1.1 Configuring your own personal certificate in Microsoft Outlook 2010... 44 4.2.1.2 Configuring your own personal certificate in Microsoft Outlook 2007... 46 4.2.1.3 Configuring your own personal certificate in Microsoft Outlook 2003... 48 4.2.2 Incorporating and configuring your own personal certificate in Mozilla Thunderbird... 51 4.3 Incorporating a Fraunhofer employee s certificate into the e-mail client... 54 4.3.1 Incorporating a Fraunhofer employee s certificate into Microsoft Outlook 2010... 55 4.3.2 Incorporating a Fraunhofer employee s certificate into Microsoft Outlook 2007... 57 4.3.3 Incorporating a Fraunhofer employee s certificate into Microsoft Outlook 2003... 60 4.3.4 Incorporating a Fraunhofer employee s certificate into Mozilla Thunderbird... 62 4.4 Sending digitally signed and/or encrypted e-mails... 64 4.4.1 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook 2010... 65 4.4.2 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook 2007... 66 4.4.3 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook 2003... 66 4.4.4 Sending digitally signed and/or encrypted e-mails using Mozilla Thunderbird... 68 5 Revoking a personal certificate... 69 5.1 Requesting the revocation of a personal certificate by e-mail... 69 5.2 Permanently revoking a personal certificate using the revocation e- mail... 71 ii 03.02.2017 Version 1.1

Introduction Introduction This document describes how to establish secure e-mail communications with Fraunhofer-Gesellschaft employees. In order to establish encrypted e-mail communications, you and the Fraunhofer employee you wish to communicate with must each be in possession of a digital encryption certificate. Fraunhofer employees have for the most part already been provided with encryption certificates. To ensure you too are able to obtain a certificate for communicating with Fraunhofer, the Fraunhofer-Gesellschaft or rather its Public Key Infrastructures Competence Center, to be precise runs its own public key infrastructure (PKI) that is completely separate from the PKI for Fraunhofer Employees. It is called PKI Contacts (PKI for Fraunhofer Contacts), and issues certificates to external communications partners of Fraunhofer employees. You can use certificates issued to you to create signed e-mails, too. Recipients of such e-mails can be certain that the message is actually from you, and that it was not modified during transmission. Please note that PKI Contacts can issue certificates only when prompted to do so by a Fraunhofer-Gesellschaft employee. Note: Unless otherwise indicated, the screenshots contained in this manual were created using Mozilla Firefox and Thunderbird version 24 in Windows 7. The appearance of individual dialog windows may differ depending on the operating system or browser used. Internal browser processes may also vary slightly from product to product, particularly when it comes to selecting certificates or entering smartcard PINs. Version 1.1 03.02.2017 1

Obtaining a Fraunhofer employee s certificate 1 Obtaining a Fraunhofer employee s certificate In order to send a Fraunhofer employee an encrypted e-mail, you need his/her digital encryption certificate. You can receive this certificate by e-mail or download it from this website: https://contacts.pki.fraunhofer.de. 1.1 Receiving a certificate by e-mail In order to obtain a Fraunhofer employee s digital encryption certificate by e- mail, you need to request that they send you a signed e-mail. Once the root certificates and remaining certificates in the PKI for Fraunhofer Employees certificate chain are integrated correctly into your e-mail client (see chapter 4.1.2), the Fraunhofer employee s certificate will be available for secure communication by e-mail. You can now answer the Fraunhofer employee s e-mail directly with an encrypted e-mail. Note: The root certificates and the corresponding certificates from the PKI for Fraunhofer Employees certificate chain need to be imported only once into your e-mail program s certificate store. 1.2 Downloading a certificate from the PKI Contacts website If you wish to send an encrypted e-mail to a Fraunhofer employee who already has a valid Fraunhofer PKI certificate that you are not yet in possession of, then you can obtain this certificate from https://contacts.pki.fraunhofer.de. Open the link in your browser and select Search Certificate of a Fraunhofer Employee under the For Partners section of the menu (see Figure 1). 2 03.02.2017 Version 1.1

Obtaining a Fraunhofer employee s certificate Figure 1: Screen with search field for looking up certificates of Fraunhofer employees Enter the surname of the Fraunhofer employee whose certificate you wish to obtain and click on Start search. Note: You do not have to enter the whole name. Entering part of the name will produce a list of Fraunhofer employees whose surnames contain the part you searched for. Note: For reasons of data protection, the number of search results shown is limited to three. Should the Fraunhofer employee you are searching for not be listed, it may be worth refining your search by entering a name/part of a name that contains more letters. If the search finds a Fraunhofer employee whose name corresponds to the name you entered, you will be presented with a window displaying that employee s publicly available data as depicted in Figure 2. If this Fraunhofer employee is in possession of a digital encryption certificate, the details are shown in the section entitled Zertifikat (Certificate). Version 1.1 03.02.2017 3

Obtaining a Fraunhofer employee s certificate Figure 2: Results of search for a Fraunhofer employee s certificate To save a valid certificate on your computer, click on Download and select the option Save File. Now select the folder in which you want to save the certificate, and click on Save. You can replace or change the suggested filename, but please ensure the file extension.cer remains unchanged (see Figure 3). 4 03.02.2017 Version 1.1

Obtaining a Fraunhofer employee s certificate Figure 3: Saving a Fraunhofer employee s certificate The process for integrating certificates into your e-mail client in order to use them for secure communication varies depending on the e-mail client you use. This process is described under section 4.3. Version 1.1 03.02.2017 5

Requesting your own personal certificate 2 Requesting your own personal certificate In order to establish secure e-mail communications with Fraunhofer you too need a certificate that is assigned to your e-mail address. In case you don t yet have a personal certificate of your own, you can obtain a free one from the PKI for Fraunhofer Contacts, PKI Contacts. Certificates can be issued only once requested by a Fraunhofer employee who knows you. Please ask your contact at Fraunhofer to apply for a certificate on your behalf. It is then up to you to generate a key and request a certificate yourself. There is a secure part of the website https://contacts.pki.fraunhofer.de with protected access from which Fraunhofer employees can authorize the issuing of certificates for communication partners. During the course of the process you will receive an automatically generated e- mail containing a link (see Figure 4) that takes you to a special PKI Contacts website that leads you through the certificate application process. Click on the link provided in the e-mail or copy the address bar into your browser. Figure 4: E-mail with link for issuing a certificate Note: Please be aware that for security reasons the link contains an identification feature that is valid only for you. Furthermore, the link must be used within 192 hours of the e-mail being sent. If you do not apply for a certificate within this time, you must ask your contact at the Fraunhofer-Gesellschaft to make a new request for authorization on your behalf. 6 03.02.2017 Version 1.1

Requesting your own personal certificate 2.1 Requesting your own personal certificate with Microsoft Internet Explorer Note: Screenshots were created using Microsoft Internet Explorer version 10. The link contained in the automatically generated e-mail takes you to a website that leads you through the certificate application process (see Figure 5). Figure 5: Certificate issuance with Internet Explorer user s data check and confirmation of having read the guidelines for issuing certificates etc. Now please check your personal information and confirm that it is correct. Please also confirm that you acknowledge and comply with the remaining specified conditions and disclaimers, in particular confirming that you have understood and will comply with the guidelines for the issuance of certificates of the PKI for Fraunhofer Contacts. Click Proceed to key generation to be presented with a summary of the information you have entered and the confirmations you have given (see Figure 6). You also have the option to cancel the certificate generating process at this stage. Doing so means you will not receive a certificate. Version 1.1 03.02.2017 7

Requesting your own personal certificate Figure 6: Issuing certificates with Internet Explorer summary of information entered by the user and the confirmations they have given Click on Start key generation to generate a cryptographic key pair in your browser and to transmit the public key to the web server that will use it to create your certificate. As this is a security-sensitive process, Internet Explorer issues a caution warning you of the security risks involved, and asks you to confirm that you wish to proceed (see Figure 7). Please confirm the security prompt by clicking Yes and wait for a moment until the keys have been generated. Figure 7: Issuing certificates with Internet Explorer security prompt as part of key-generation process Once keys and certificate have been generated, you will receive a message that the certificate is ready to be installed. To do so, click on the link Install your 8 03.02.2017 Version 1.1

Requesting your own personal certificate certificate (see Figure 8). This installs the certificate in the Internet Explorer certificate store (Microsoft certificate store). Figure 8: Issuing certificates with Internet Explorer confirmation that the certificate was successfully issued Internet Explorer uses the same caution message as shown in Figure 7 to warn you of the potential security risk that installing the certificate poses. Please confirm the security prompt by clicking Yes. You will now receive a message informing you that the certificate has been successfully installed in your browser (see Figure 9). Figure 9: Issuing certificates with Internet Explorer confirmation that the certificate has been installed In order to be able to use the certificate in your e-mail client, you may now have to export it from your browser and import it into your e-mail client. This process depends on the type of browser and e-mail client you use. Section 3.1 describes how to export certificates from Internet Explorer, and chapter 0 describes how to use your personal certificate in different e-mail clients. Note: Please be aware that it is not necessary to export a certificate from Internet Explorer if you intend to use it with an e-mail client that also accesses the Microsoft certificate store (such as Microsoft Outlook). In such cases it is enough to configure the certificate in the e-mail client (see chapter 0). Version 1.1 03.02.2017 9

Requesting your own personal certificate 2.2 Requesting your own personal certificate with Mozilla Firefox The link contained in the automatically generated e-mail takes you to a website that leads you through the certificate application process (see Figure 10). Figure 10: Certificate issuance with Mozilla Firefox user s data check and confirmation of having read the guidelines for issuing certificates etc. Now please check your personal information and confirm that it is correct. Please also confirm that you acknowledge and comply with the remaining specified conditions and disclaimers, in particular confirming that you have understood and will comply with the guidelines for the issuance of certificates of the PKI for Fraunhofer Contacts. Click Proceed to key generation to be presented with a summary of the information you have entered and the confirmations you have given (see Figure 11). You also have the option to cancel the certificate generating process at this stage. Doing so means you will not receive a certificate. 10 03.02.2017 Version 1.1

Requesting your own personal certificate Figure 11: Issuing certificates with Mozilla Firefox summary of information entered by the user and the confirmations they have given Click on Start key generation to generate a cryptographic key pair in your browser and to transmit the public key to the web server that will use it to create your certificate. If your computer has a smartcard reader attached with a card inserted in it, you must select where you wish to save the key pair/certificate by choosing a token from the drop-down list in the token dialog box (see Figure 12). Select Software Security Device and confirm by clicking OK. Figure 12: Issuing certificates with Mozilla Firefox selecting where to save the key pair/certificate Note: If your computer does not have a smartcard reader attached, or the smartcard reader contains the wrong card, the dialog window referred to above will not appear. Version 1.1 03.02.2017 11

Requesting your own personal certificate Note: If you have set your browser to require entry of a master password, you will now be asked to enter this password in order to access your software security module. The password is required because your personal certificate will be saved in the browser s certificate store. You will then receive a message informing you that your key is being generated (see Figure 13). Figure 13: Certificate issuance with Mozilla Firefox Generating the key pair Once the keys have been generated and the certificate issued successfully, you will receive a message informing you that you can now install the certificate. Click on the Install your certificate link (see Figure 14). This process installs the certificate in the Firefox certificate store. Figure 14: Certificate issuance with Mozilla Firefox Confirmation that the certificate was issued successfully Mozilla Firefox generates a separate window to notify you that installation of the certificate was successful (see Figure 15). The system will issue an explicit reminder suggesting that you save a backup copy of the certificate. Confirm this suggestion with OK. 12 03.02.2017 Version 1.1

Requesting your own personal certificate Figure 15: Certificate issuance with Mozilla Firefox Confirmation that the certificate was installed successfully Before the certificate can be used in your e-mail client, it must first be exported out of the browser and into your e-mail client. This process varies depending on the type of browser or e-mail client you use. How to export certificates from Mozilla Firefox is described in Section 3.2. How to use personal certificates in different e-mail clients is described in Chapter 0. Version 1.1 03.02.2017 13

Exporting your own personal certificate from the browser 3 Exporting your own personal certificate from the browser This chapter describes how to export personal certificates out of the browser. Exporting certificates and the keys that go with them is necessary in order to be able to create local backup copies of the certificates. Furthermore, some combinations of browser and e-mail client require certificates (and private keys) to be integrated into the respective e-mail client manually. The following sections deal with the specifics of various possible combinations. 3.1 Exporting your own personal certificate from Microsoft Internet Explorer Note: If you use Internet Explorer in combination with Microsoft Outlook or any other e-mail program that accesses the Microsoft certificate store, then it is not necessary to export personal certificates/keys to enjoy secure e-mail communication. Users are however still recommended to make a backup copy of the certificate (and private key). Open the Microsoft certificate store in Internet Explorer by going to Extras Internet Options Content Certificates (see Figure 16). Figure 16: Opening the Microsoft certificate store in Microsoft Internet Explorer 14 03.02.2017 Version 1.1

Exporting your own personal certificate from the browser Select the certificate you wish to export from the options listed under the Personal tab and click Export (see Figure 17). Figure 17: Selecting the certificate that is to be exported from the Microsoft certificate store This opens the Microsoft certificate export wizard, which will take you through the exporting process. Click Next (see Figure 18). Version 1.1 03.02.2017 15

Exporting your own personal certificate from the browser Figure 18: Microsoft certificate export wizard Select the option Yes, export the private key in the dialog window that follows and confirm by clicking Next (see Figure 19). 16 03.02.2017 Version 1.1

Exporting your own personal certificate from the browser Figure 19: Microsoft certificate export wizard Selecting the option for exporting the private key You do not need to make any changes in the dialog windows that follow, and can simply click Next (see Figure 20). Version 1.1 03.02.2017 17

Exporting your own personal certificate from the browser Figure 20: Microsoft certificate cxport wizard Selecting the file export format Now enter a secure password 1 to protect the key when it is exported (see Figure 21). The password will be required whenever you want to import your certificate into a program, and protects against unauthorized access. Confirm this dialog window by clicking Next. 1 The password should be at least twelve characters long and contain upper and lower case letters, numbers and symbols. 18 03.02.2017 Version 1.1

Exporting your own personal certificate from the browser Figure 21: Microsoft certificate export wizard Entering the transport password for the backup certificate Now click on Browse and select a location in which to save the certificate. Give the certificate and key file names that aptly describe the content, click Save and confirm the remaining dialog by clicking Next (see Figure 22). Version 1.1 03.02.2017 19

Exporting your own personal certificate from the browser Figure 22: Microsoft certificate export wizard Selecting where to save the backup certificate The Certificate Export Wizard now presents you with another summary of the settings you have chosen. Click on Finish to execute and complete the export process (see Figure 23). 20 03.02.2017 Version 1.1

Exporting your own personal certificate from the browser Figure 23: Microsoft certificate export wizard Finishing the wizard A message will appear to confirm that the export was carried out successfully. Confirm it by clicking OK (see Figure 24). Figure 24: Microsoft certificate export wizard Message informing you that certificate and private key were successfully exported Version 1.1 03.02.2017 21

Exporting your own personal certificate from the browser 3.2 Exporting your own personal certificate from Mozilla Firefox Note: Regardless of the e-mail program you use in combination with Mozilla Firefox, secure e-mail communication is possible only if personal certificates/keys are first exported out of the browser (and imported into the respective e-mail program). The Mozilla Firefox certificate manager can be accessed only from within the browser itself. Beyond this it also makes sense to export the certificate and private key in order to back them up. Open the Mozilla Firefox certificate manager via Extras Options Advanced Certificates View Certificates (see Figure 25). Figure 25: Opening the Mozilla Firefox certificate manager 22 03.02.2017 Version 1.1

Exporting your own personal certificate from the browser Next, select the certificate you wish to export from the options listed under the Your Certificates tab and click on Backup (see Figure 26). Figure 26: Selecting the certificate that is to be exported from the Mozilla Firefox certificate manager Now select a location in which to save the certificate. Give the certificate and key file names that aptly describe the content, and then click Save (see Figure 27). Version 1.1 03.02.2017 23

Exporting your own personal certificate from the browser Figure 27: Selecting where to save the backup certificate in Mozilla Firefox Note: If you have set your browser to require entry of a master password, you will now be asked to enter this password in order to access your software security module. The password is required because your personal certificate and the private key that goes with it will be exported out of the browser s certificate manager. Now enter a secure password 2 to protect the key when it is exported (see Figure 28). The password will be required whenever you want to import your certificate into a program, and protects against unauthorized access. Confirm this dialog window by clicking OK. 2 The password should be at least twelve characters long and contain upper and lower case letters, numbers and symbols. 24 03.02.2017 Version 1.1

Exporting your own personal certificate from the browser Figure 28: Entering the transport password for the backup certificate (Mozilla Firefox) A message will appear to confirm that the backup process was carried out successfully. Confirm by clicking OK (see Figure 29). Figure 29: Message informing you that certificate and private key were successfully backed up (Mozilla Firefox) Version 1.1 03.02.2017 25

4 This section describes how to use your own personal certificate to communicate securely with a Fraunhofer employee. To do you will first have to integrate both the root certificate of the PKI for Fraunhofer Contacts and your own certificate into your e-mail client/application. A further requirement for setting up encrypted communication with a Fraunhofer employee is that you integrate their encryption certificate in your e-mail client. In exceptional cases it may also be necessary to integrate the root certificate, that is to say the PKI for Fraunhofer Employees certificate chain, into the e- mail client as well. Instructions on how to proceed in such instances are also included in this section. 4.1 Preparing the e-mail client to use certificates Different e-mail clients have to be prepared in different ways, so you must follow the instructions applicable to the kind of e-mail client you use. This section describes the process for applications that access the Microsoft certificate store (such as Microsoft Outlook) as well as for applications that use their own certificate store (such as Mozilla Thunderbird). 4.1.1 Integrating the PKI for Fraunhofer Contacts root certificate First download the root certificate from the website at https://contacts.pki. fraunhofer.de. Do so by clicking Load Root Certificate / Revocation List (PKI for Fraunhofer Contacts) under the General menu heading. This opens another page. Right-click on the Download root certificate Certification authority for Fraunhofer Contacts link and select Save Link As from the context menu that appears (see Figure 30). 26 03.02.2017 Version 1.1

Figure 30: Downloading the PKI for Fraunhofer Contacts root certificate Now select the file where you wish to save the certificate, and click Save (see Figure 31). Figure 31: Saving the PKI for Fraunhofer Contacts root certificate Version 1.1 03.02.2017 27

4.1.1.1 Incorporating the PKI for Fraunhofer Contacts root certificate into the Microsoft certificate store If you use Microsoft Outlook for your e-mail communication, then the PKI for Fraunhofer Contacts root certificate must be imported into the Microsoft certificate store that Microsoft Outlook also accesses. To do so, open the Microsoft certificate store via Start Control panel Network and Internet Internet options Content Certificates and open up the Trusted Root Certification Authorities tab. Click on Import (see Figure 32). Figure 32: Screenshot showing the Microsoft certificate store s Trusted Root Certification Authorities This opens the certificate import wizard. Confirm the first window by clicking Next. Now click the Browse... button and select the root certificate that was downloaded previously. Confirm the dialog window by clicking Open and then on Next (see Figure 33). 28 03.02.2017 Version 1.1

Note: If the PKI for Fraunhofer Contacts root certificate is not shown in the Open dialog window, you must change the filter that determines the file types shown from X.509 Certificate (*.cer,*.crt) to All Files (*.*), the option that shows all types of file. Figure 33: Selecting the PKI for Fraunhofer Contacts root certificate when importing it into the Microsoft certificate store In the dialog windows that follow, simply assume the standard settings and confirm them by clicking Next. Finish the certificate import wizard by clicking Finish. At the end of the installation process you will be presented with a security warning (see Figure 34). After you have verified that the fingerprint cited in the security dialog box is correct, please confirm by clicking Yes. Verify the fingerprint by carefully comparing the fingerprint shown in the security dialog box with the root certificate fingerprint given on the website. Confirm by clicking Yes only if all the characters (letters and digits) in both keys are absolutely identical. Version 1.1 03.02.2017 29

Figure 34: Security warning when importing the PKI for Fraunhofer Contacts root certificate into the Microsoft certificate store A message will appear to confirm that the import was carried out successfully. Close the window by clicking OK (see Figure 35). Figure 35: Importing the PKI for Fraunhofer Contacts root certificate into the Microsoft certificate store was successful 30 03.02.2017 Version 1.1

4.1.1.2 Incorporating the PKI for Fraunhofer Contacts root certificate into the Mozilla Thunderbird certificate manager If you use Mozilla Thunderbird for your e-mail communication, then the PKI for Fraunhofer Contacts root certificate must be imported into the Mozilla Thunderbird certificate manager. Note: Mozilla Firefox and Mozilla Thunderbird each use their own certificate managers. To import the root certificate into the Thunderbird certificate manager, open the certificate manager via Extras Options Advanced Certificates View Certificates and open up the Authorities tab. Click on Import (see Figure 36). Figure 36: Screenshot showing the Thunderbird Certificate manager s Certificate authorities This opens a file selection dialog window. Navigate to the location where you saved the PKI for Fraunhofer Contacts root certificate and select the root certificate that was downloaded previously. Confirm the dialog window by clicking Open (see Figure 37). Version 1.1 03.02.2017 31

Figure 37: Selecting the PKI for Fraunhofer Contacts root certificate when importing it into the Thunderbird certificate manager Now confirm the purpose for which you would like the certificate to be trusted. Ensure that at least the Trust this CA to identify email users option is selected, and close the dialog window by clicking OK after you have made sure that the certificate s SHA1 fingerprint precisely matches the root certificate fingerprint given on the website (see Figure 38). To see the fingerprint for the certificate that is to be imported, please click View. The SHA1 fingerprint is shown at the bottom of the General tab. All the characters (letters and digits) must be absolutely identical to the fingerprint key given on the website. 32 03.02.2017 Version 1.1

Figure 38: Selecting the trust settings for the PKI for Fraunhofer Contacts root certificate when importing it into Mozilla Thunderbird. The PKI for Fraunhofer Contacts root certificate is now available in the certificate manager and can now be used by Mozilla Thunderbird to verify user certificates from the PKI for Fraunhofer Contacts. 4.1.2 Integrating the PKI for Fraunhofer Employees root certificates / certificate chains In order to be able to verify and use Fraunhofer employee certificates, you must also trust the certification authority that issued the employee certificates. Certificates for Fraunhofer employees are currently issued from two different PKIs. Unlike the PKI for Fraunhofer Contacts, the Fraunhofer-Gesellschaft s PKIs for its employees consists of two multi-level hierarchies that have the Deutsche Telekom Root CA 2 and the T-TeleSec GlobalRoot Class 2 certificate respectively as root certificate at the very top. Note: In the great majority of cases, the Deutsche Telekom Root CA 2 as well as the T-TeleSec GlobalRoot Class 2 root certificate are pre-installed as standard in operating systems, browsers and e-mail applications. This means a separate import process is not usually necessary. Perform the import only if you encounter problems when verifying or using Fraunhofer employee certificates. In some individual cases it may be necessary to import the remaining certificates in the Fraunhofer PKI certificate chains in addition to the root certificates given above, these being the DFN-Verein PCA Global - G01 certificate, the DFN-Verein Certification Authority 2 certificate, the Fraunhofer User CA G01 certificate as well as the Fraunhofer User CA G02 certificate. Version 1.1 03.02.2017 33

You can download the PKI for Fraunhofer Employees root certificates and the remaining certificates of the corresponding certificate chains from the https:// contacts.pki.fraunhofer.de page. Do so by clicking Load Root Certificate / Revocation List (PKI for Fraunhofer Employees) under the General menu heading. This opens another page. Right-click on the Download Certificate link below the Deutsche Telekom Root CA 2 and T-TeleSec GlobalRoot Class 2 heading respectively, and select Save Link As from the context menu that appears (see Figure 39). Figure 39: Downloading the PKI for Fraunhofer Employees Deutsche Telekom Root CA 2 root certificate Now select the folder that you want to save the certificate in and click Save (see Figure 40). 34 03.02.2017 Version 1.1

Figure 40: Saving the PKI for Fraunhofer Employees root certificate Note: The Intermediate Certification Authorities certificates of the PKI for Fraunhofer Employees (DFN-Verein PCA Global - G01 certificate, DFN-Verein Certification Authority 2 certificate, Fraunhofer User CA G01 certificate as well as Fraunhofer User CA G02 certificate) can be downloaded in exactly the same way. 4.1.2.1 Incorporating the PKI for Fraunhofer Employees root certificates / certificate chains into the Microsoft certificate store The method for integrating the PKI for Fraunhofer Employees root certificates (Deutsche Telekom Root CA 2 and T-TeleSec GlobalRoot Class 2 certificate) into the Microsoft certificate store is exactly the same as the method described in section 4.1.1.1. If the Intermediate Certification Authorities certificates of the PKI for Fraunhofer Employees are to be imported, these certificates (DFN-Verein PCA Global - G01 certificate, DFN-Verein Certification Authority 2 certificate, Fraunhofer User CA G01 certificate as well as Fraunhofer User CA G02 certificate) should be imported into the Intermediate Certification Authorities certificate store instead of the Trusted Root Certification Authorities certificate store. Apart from this, integrating these certificates is done in exactly the same way as the method described in section 4.1.1.1. Version 1.1 03.02.2017 35

4.1.2.2 Incorporating the PKI for Fraunhofer Employees root certificates / certificate chains into the Mozilla Thunderbird certificate manager The method for integrating the PKI for Fraunhofer Employees root certificates (Deutsche Telekom Root CA 2 and T-TeleSec GlobalRoot Class 2 certificate) or the Intermediate Certification Authorities certificates of the PKI for Fraunhofer Employees (DFN-Verein PCA Global - G01 certificate, DFN-Verein Certification Authority 2 certificate, Fraunhofer User CA G01 certificate as well as Fraunhofer User CA G02 certificate) into the Mozilla Thunderbird certificate manager is exactly the same as the method described in section 4.1.1.2. 4.2 Incorporating your own personal certificate into the e-mail client This section describes how to incorporate your personal certificate into your e- mail client and configure it in order to be able to send digitally signed e-mails. The process for incorporating and configuring personal certificates in your e- mail client varies depending on the e-mail client you use. For this reason this section describes the process for applications that access the Microsoft certificate store (such as Microsoft Outlook) as well as for applications that use their own certificate store (such as Mozilla Thunderbird). 4.2.1 Incorporating your own personal certificate into the Microsoft certificate store If you use Microsoft Outlook for your e-mail communication, then your personal certificate must be imported into the Microsoft certificate store that the different versions of Microsoft Outlook also access. Note: If you used Internet Explorer to request your own certificate on your system, there is no need to incorporate your personal certificate into the Microsoft certificate store. It will already have been added as part of the request process (see section 2.1). In this case it is necessary only to configure the certificate, for instance in Microsoft Outlook. The method for doing so is described in sections 4.2.1.1 ff. Do so by opening the Microsoft certificate store via Start Control Panel Network and Internet Internet Options Content Certificates and opening up the Personal tab. Click on Import (see Figure 41 ). 36 03.02.2017 Version 1.1

Figure 41: Screenshot showing Personal Certificates in the Microsoft certificate store This opens the certificate import wizard. Confirm the first window by clicking Next. Now click the Browse button and select your certificate. Confirm the dialog window by clicking Open and then on Next (see Figure 42). Note: To make sure your personal certificate is shown in the selection dialog window, you must change the filter that determines the file types shown from X.509 Certificate (*.cer,*.crt) to Personal Information Exchange (*.pfx,*.p12). Only then will you also be able to see files containing a corresponding private key as well as a certificate. Version 1.1 03.02.2017 37

Figure 42: Selecting your personal certificate when importing it into the Microsoft certificate store When you created and saved the certificate you will have set a password for the private key to prevent unauthorized access. Enter that password now. Select the Mark this key as exportable option and, if applicable, the Enable strong private key protection option in addition to the Include all extended properties option that is preselected by default (see Figure 43). By selecting Mark this key as exportable you ensure that your certificate and private key can be exported again later. Now click on Next. 38 03.02.2017 Version 1.1

Figure 43: Entering the password and setting the import options when importing a personal certificate into the Microsoft certificate store In the next dialog box, accept the default settings and confirm by clicking Next (see Figure 44). Version 1.1 03.02.2017 39

Figure 44: Selecting the certificate store to use when importing personal certificates into the Microsoft certificate store You will now be presented with the Completing the certificate import Wizard dialog window summarizing the settings you have specified. By clicking Finish you give the final authorization for your personal certificate to be incorporated into the Microsoft certificate store. If you have selected the Enable strong protection for the private key option (see Figure 43), you will now be prompted to issue a password for instances when the private key is used in future. A series of dialog windows will assist you with this process. You will have to enter this password later, for instance every time you sign or decrypt an e- mail. Do this by first selecting Set Security Level as shown in the dialog window in Figure 45. Note: If you have not selected the Enable strong private key protection option (see Figure 43), the four dialog windows shown below are not relevant. 40 03.02.2017 Version 1.1

Figure 45: Adjusting the security level for access to personal private keys at a later point when importing personal certificates into the Microsoft certificate store First you will have to reconfirm that you wish to be prompted to enter a password every time you use the private key that goes with your certificate. To do so, change the private key security level from Medium to High and then exit the dialog window by clicking Next (see Figure 46). Version 1.1 03.02.2017 41

Figure 46: Changing the security level so that a password is requested whenever the user s private key is accessed at a later point You will now be prompted to set the password that you wish to be asked for whenever the private key is used. For security reasons you must enter it twice. Complete the dialog window by clicking Finish (see Figure 47). Note: The password you set at this point will be requested whenever an application needs to access your private key (for instance when digitally signing or decrypting e-mails). It does not have to be the same as the transport password for the key and certificate file that you entered in Figure 43. If you decide to issue another password, please choose one that is secure 3. 3 The password should be at least twelve characters long and contain upper and lower case letters, numbers and symbols. 42 03.02.2017 Version 1.1

Figure 47: Setting the password for later access to the user s private key Return to the dialog window that you are familiar with from Figure 45. The security level should now correspond to the level you selected (see Figure 48). Clicking OK imports your personal certificate and the private key associated with it into the Microsoft certificate store. The message shown in Figure 49 will appear to confirm the import. Confirm this dialog window by clicking OK too. Your personal certificate is now available in the Microsoft certificate store and can be configured for secure e-mail communication, for example in Outlook (see Sections 4.2.1.1ff.). Version 1.1 03.02.2017 43

Figure 48: Adjusting the security level for access to personal private keys at a later point when importing personal certificates into the Microsoft certificate store Figure 49: Personal certificate and private key have been successfully imported into the Microsoft certificate store 4.2.1.1 Configuring your own personal certificate in Microsoft Outlook 2010 In order to inform Microsoft Outlook 2010 of the personal certificate and private key it should use to sign/decrypt e-mails, you must first configure the certificate in the e-mail client. 44 03.02.2017 Version 1.1

Begin by opening the Trust Center via File Options Trust Center Trust Center Settings E-mail Security. Now click on the Settings button under Encrypted e-mail (see Figure 50). Figure 50: Outlook 2010 Trust Center This opens the Change Security Settings dialog window (see Figure 51). If applicable, change the name entered under Security Settings Name to one that matches your requirements, and click on the uppermost Choose button to set the signing certificate. You will be presented with a list of all certificates that have a digital signature function and for which you have a private key (as a general rule there is only one certificate of this kind available on your system). Select your own PKI for Fraunhofer Contacts personal certificate. This certificate will also automatically be entered as an encryption certificate, as it also has an encryption function. Now close all open dialog windows by clicking OK. This concludes the process for configuring your own personal certificate in Microsoft Outlook 2010, meaning you are now able to send digitally signed e- mails and decrypt e-mails encrypted for your e-mail address. Version 1.1 03.02.2017 45

Figure 51: Outlook 2010 Configuring a personal certificate 4.2.1.2 Configuring your own personal certificate in Microsoft Outlook 2007 In order to inform Microsoft Outlook 2007 of the personal certificate and private key it should use to sign/decrypt e-mails, you must configure the certificate in the e-mail client. Begin by opening the Trust Center via Extras Trust Center E-Mail Security. Now click on the Settings button under Encrypted e-mail (see Figure 52). 46 03.02.2017 Version 1.1

Figure 52: Outlook 2007 Trust center This opens the Change Security Settings dialog window (see Figure 53). Change or set the name entered under Security Settings Name to one that matches your requirements if necessary, and click on the uppermost Choose button to set the signing certificate. You will be presented with a list of all certificates that have a digital signature function and for which you have a private key (as a general rule there is only one certificate of this kind available on your system). Select your own PKI for Fraunhofer Contacts personal certificate. This certificate will also automatically be entered as an encryption certificate, as it also has an encryption function. Unless already selected by Outlook as a default setting, select the options Default Security Setting for this cryptographic message format, Default Security Setting for all cryptographic messages and Send these certificates with signed messages. Now close all open dialog windows by clicking OK. This concludes the process for configuring your own personal certificate in Microsoft Outlook 2007, meaning you are now able to send digitally signed e- mails and decrypt e-mails encrypted for your e-mail address. Version 1.1 03.02.2017 47

Figure 53: Outlook 2007 Configuring a personal certificate 4.2.1.3 Configuring your own personal certificate in Microsoft Outlook 2003 In order to inform Microsoft Outlook 2003 of the personal certificate and private key it should use to sign/decrypt e-mails, you must configure the certificate in the e-mail client. Begin by opening the Outlook S/MIME Options via Extras Options. Now select the Security tab and click on the Settings button under Encrypted e- mail (see Figure 54). 48 03.02.2017 Version 1.1

Figure 54: Outlook 2003 S/MIME options This opens the Change Security Settings dialog window (see Figure 55). Change or set the name entered under Security Settings Name to one that matches your requirements if necessary, and click on the uppermost Choose button to set the signing certificate. You will be presented with a list of all certificates that have a digital signature function and for which you have a private key (as a general rule there is only one certificate of this kind available on your system). Select your own PKI for Fraunhofer Contacts personal certificate. This certificate will also automatically be entered as an encryption certificate, as it also has an encryption function. Unless already selected by Outlook as a default setting, select the options Default Security Setting for this cryptographic message format, Default Security Setting for all cryptographic Version 1.1 03.02.2017 49

messages and Send these certificates with signed messages. Now close all open dialog windows by clicking OK. This concludes the process for configuring your own personal certificate in Microsoft Outlook 2003, meaning you are now able to send digitally signed e- mails and decrypt e-mails encrypted for your e-mail address. Figure 55: Outlook 2003 Configuring a personal certificate 50 03.02.2017 Version 1.1

4.2.2 Incorporating and configuring your own personal certificate in Mozilla Thunderbird If you use Mozilla Thunderbird for your e-mail communication, then your personal certificate must be imported into the Mozilla Thunderbird certificate manager. To import your personal certificate into the Thunderbird certificate manager, open the certificate manager via Extras Options Advanced Certificates View Certificates and open up the Your Certificates tab. Click on Import (see Figure 56). Figure 56: Screenshot showing the Thunderbird Your Certificates certificate manager This opens a file selection dialog window. Navigate to the location where you saved your PKI for Fraunhofer Contacts personal certificate and select it. Confirm the dialog window by clicking Open (see Figure 57). Version 1.1 03.02.2017 51

Figure 57: Selecting your PKI for Fraunhofer Contacts personal certificate when importing it into the Thunderbird certificate manager Now enter the password that you set when saving the certificate and private key to protect them against unauthorized access. Then click OK (see Figure 58). Figure 58: Entering the password for your PKI for Fraunhofer Contacts personal certificate when importing it into the Thunderbird certificate manager Once your certificate and private key have been successfully imported you will receive a confirmation message (see Figure 59). Click on OK. This concludes the process for importing your own personal certificate into Mozilla Thunderbird, meaning you can now configure the certificate for secure e-mail communication to then be able to sign and decrypt e-mails. 52 03.02.2017 Version 1.1

Figure 59: Personal certificate and private key have been successfully imported into the Thunderbird certificate manager Begin by opening S/MIME Security via Extras Account Settings Security (see Figure 60). Click on the uppermost Select button to set the signing certificate. Figure 60: Mozilla-Thunderbird Selecting S/MIME settings You will be presented with a list of all certificates that have a digital signature function and for which you have a private key (as a general rule there is only one certificate of this kind available on your system). Select your own PKI for Fraunhofer Contacts personal certificate and close the dialog window by clicking OK (see Figure 61). Version 1.1 03.02.2017 53

Figure 61: Mozilla Thunderbird Setting up a signing certificate You will then be asked whether you also wish to use this certificate to decrypt e-mails. Confirm this by clicking Yes (see Figure 62). Figure 62: Mozilla Thunderbird Setting up a signing certificate Now close all open dialog windows by clicking OK. This concludes the process for configuring your own personal certificate in Mozilla Thunderbird, meaning you are now able to send digitally signed e-mails and decrypt e-mails encrypted for your e-mail address. 4.3 Incorporating a Fraunhofer employee s certificate into the e-mail client Note: As a general rule it is not necessary to incorporate a Fraunhofer employee s certificate into the e-mail client, as this happens automatically as soon as you receive and reply to a signed e-mail from a Fraunhofer employee. If you have come by the certificate another way, you can import it into various e-mail clients as described in the following subsections. 54 03.02.2017 Version 1.1

4.3.1 Incorporating a Fraunhofer employee s certificate into Microsoft Outlook 2010 Begin by opening a new e-mail from the Start tab by clicking New E-mail. Enter the e-mail address of the Fraunhofer employee in the recipient field. Rightclick on this e-mail address and select Add to Outlook Contacts from the context window (see Figure 63). Note: If the Fraunhofer employee is already saved in your list of contacts, select Look Up Outlook Contact and open their contact details. Figure 63: Adding a Fraunhofer employee as a contact in Outlook 2010 You will now be shown the contact details for this contact. Select Certificates in the Contact tab and click on Import (see Figure 64). Version 1.1 03.02.2017 55

Figure 64: Importing the Fraunhofer employee s certificate into Outlook 2010 Now go to the directory where you saved the Fraunhofer employee s certificate and select it. Click Open (see Figure 65). Figure 65: Selecting the Fraunhofer employee s certificate 56 03.02.2017 Version 1.1

The certificate has now been added to the certificate store. Now click on Save & Close (see Figure 66). Figure 66: Saving the certificate allocation in Outlook 2010 This concludes the process for integrating the Fraunhofer employee s certificate into Outlook 2010, meaning the certificate can be used for secure e-mail communication. 4.3.2 Incorporating a Fraunhofer employee s certificate into Microsoft Outlook 2007 Begin by opening a new e-mail from the Start tab by clicking New E-mail. Enter the e-mail address of the Fraunhofer employee in the recipient field. Rightclick on this e-mail address and select Add to Outlook Contacts from the context window (see Figure 67). Note: If the Fraunhofer employee is already saved in your list of contacts, select Look Up Outlook Contact and open their contact details. Version 1.1 03.02.2017 57

Figure 67: Adding a Fraunhofer employee as a contact in Outlook 2007 You will now be shown the contact details for this contact. Select Certificates in the Contact tab and click on Import (see Figure 68). Figure 68: Importing the Fraunhofer employee s certificate into Outlook 2007 Now go to the directory where you saved the Fraunhofer employee s certificate and select it. Click Open (see Figure 69). 58 03.02.2017 Version 1.1

Figure 69: Selecting the Fraunhofer employee s certificate The certificate has now been added to the certificate store. Now click on Save & Close (see Figure 70). Figure 70: Saving the certificate allocation in Outlook 2007 Version 1.1 03.02.2017 59

This concludes the process for integrating the Fraunhofer employee s certificate into Outlook 2007, meaning the certificate can be used for secure e-mail communication. 4.3.3 Incorporating a Fraunhofer employee s certificate into Microsoft Outlook 2003 Begin by opening a new e-mail from the Start tab by clicking New E-mail. Enter the e-mail address of the Fraunhofer employee in the recipient field. Rightclick on this e-mail address and select Add to Outlook Contacts from the context window (see Figure 71). Note: If the Fraunhofer employee is already saved in your list of contacts, select Look Up Outlook Contact and open their contact details. Figure 71: Adding a Fraunhofer employee as a contact in Outlook 2003 You will now be shown the contact details for this contact. Select Certificates in the Contact tab and click on Import (see Figure 72). 60 03.02.2017 Version 1.1

Figure 72: Importing the Fraunhofer employee s certificate into Outlook 2003 Now go to the directory where you saved the Fraunhofer employee s certificate and select it. Click Open (see Figure 73). Figure 73: Selecting the Fraunhofer employee s certificate Version 1.1 03.02.2017 61

The certificate has now been added to the certificate store. Now click on Save & Close (see Figure 74). Figure 74: Saving the certificate allocation in Outlook 2003 This concludes the process for integrating the Fraunhofer employee s certificate into Outlook 2003, meaning the certificate can be used for secure e-mail communication. 4.3.4 Incorporating a Fraunhofer employee s certificate into Mozilla Thunderbird To embed the Fraunhofer employee s certificate into Mozilla Thunderbird, begin by opening the certificate manager found under Extras Options Advanced Certificates View Certificates and open up the People tab. Click on Import (see Figure 75). 62 03.02.2017 Version 1.1

Figure 75: Importing a Fraunhofer employee s certificate into Mozilla Thunderbird Now go to the directory where you saved the Fraunhofer employee s certificate and select it. Click Open (see Figure 76). Figure 76: Selecting the Fraunhofer employee s certificate Version 1.1 03.02.2017 63

The certificate has now been added to the certificate store (see Figure 77), and the process to integrate the Fraunhofer employee s certificate into Thunderbird is complete. Close the certificate manager by clicking OK. The certificate can now be used for secure e-mail communication. Figure 77: Thunderbird certificate manager featuring the Fraunhofer employee s certificate. 4.4 Sending digitally signed and/or encrypted e-mails Signed e-mails that you send use your personal certificate, and do not require recipients certificates. Your e-mail client calculates a checksum from the text in your e-mail, and adds a digital signature to it using your certificate. The underlying mathematical process means the recipient is able to verify both the integrity of the e-mail (that it was not changed during transmission) and the authenticity of the sender (that the e-mail is indeed from you). Encrypted e-mails that you send require the encryption certificates of all recipients. Using the encryption certificates, the message is encrypted in such a way that only the person in possession of the private key that goes with the encryption certificate can read it. This guarantees confidentiality. It therefore follows that to send a signed and encrypted e-mail you require both your own personal certificate (sender s certificate) and the certificates of all the recipients of the e-mail. 64 03.02.2017 Version 1.1

The dialog windows and the steps in the process for sending signed and/or encrypted e-mails vary slightly depending on the e-mail client you use. For this reason the following subsections describe the process for different versions of Microsoft Outlook and Mozilla Thunderbird. 4.4.1 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook 2010 Create a new e-mail. You have the option to digitally sign the e-mail when composing it by clicking on the Sign symbol in the Options tab (see Figure 78). Figure 78: Adding a digital signature to an e-mail in Outlook 2010 To encrypt an e-mail, click the Encryption symbol in the Options tab (see Figure 79). Figure 79: Encrypting an e-mail in Outlook 2010 Version 1.1 03.02.2017 65

4.4.2 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook 2007 Create a new e-mail. You have the option to digitally sign the e-mail when composing it by clicking on the Sign symbol found in the Options section of the menu ribbon under the Message tab (see Figure 80). Figure 80: Adding a digital signature to an e-mail in Outlook 2007 To encrypt an e-mail, click the Encryption symbol in the Options section of the Message tab (see Figure 81). Figure 81: Encrypting an e-mail in Outlook 2007 4.4.3 Sending digitally signed and/or encrypted e-mails using Microsoft Outlook 2003 Create a new e-mail. You have the option to digitally sign the e-mail when composing it by selecting the option Add digital signature to this message in the message security properties, found under File Properties in the Security tab (see Figure 82). 66 03.02.2017 Version 1.1

Figure 82: Adding a digital signature to an e-mail in Outlook 2003 To encrypt the e-mail, select the Encrypt message contents and attachments option under the Security tab, found under File Properties for the e-mail (see Figure 83). Figure 83: Encrypting an e-mail Outlook 2003 Version 1.1 03.02.2017 67

4.4.4 Sending digitally signed and/or encrypted e-mails using Mozilla Thunderbird Create a new e-mail. You have the option to digitally sign the e-mail when composing it by selecting the Digitally Sign This Message option under the Security header in the message Menu (see Figure 84). Open the S/MIME options by clicking on the little arrow next to the menu item. Figure 84: Adding a digital signature to an e-mail in Mozilla Thunderbird To encrypt an e-mail, select the Encrypt This Message option under the Security header (see Figure 85). Figure 85: Encrypting an e-mail in Mozilla Thunderbird 68 03.02.2017 Version 1.1

Revoking a personal certificate 5 Revoking a personal certificate If you are already in possession of a certificate issued by the Certification Authority for Fraunhofer Contacts and wish to revoke it, you can request a revocation at https://contacts.pki.fraunhofer.de. Revoking a certificate may be necessary if: your e-mail address has changed or will change, you do not want to use the certificate for secure communication within a Fraunhofer-related context anymore, you no longer accept and/or fulfil the guidelines of the PKI for Fraunhofer Contacts any longer, or (especially if) abuse or compromise of the private key is suspected or has occurred. In order to prevent a third party from revoking your certificate, revocation is set up as a two-stage process. First, the certificate that is to be revoked must be identified. Please do so by providing us with the e-mail address named in the certificate. An e-mail will be dispatched to this address containing a special link similar to the process for obtaining a certificate. This link then enables you to revoke the certificate yourself. 5.1 Requesting the revocation of a personal certificate by e-mail Please go to https://contacts.pki.fraunhofer.de and select Revoke a Certificate in the For Partners section of the menu (see Figure 86). Version 1.1 03.02.2017 69

Revoking a personal certificate Figure 86: Requesting the revocation of a certificate Now enter the e-mail address that is assigned to your personal certificate into the E-mail address of certificate to be revoked field. Then click Request revocation e-mail. Provided there are valid certificates available that were assigned to the e-mail address you entered, you will receive a message informing you that a list of all valid certificates assigned to the e-mail address has been sent out along with the option to revoke them (see Figure 87). Figure 87: Message indicating that the user s request for revocation was successful If this is not the case, a message appears informing you that an e-mail has not been sent. This concludes the process for requesting a revocation e-mail. You must now wait for the automatically generated revocation e-mail to appear in your inbox before you can revoke the certificate (see Figure 88). This e-mail will arrive after a short time. 70 03.02.2017 Version 1.1

Revoking a personal certificate Figure 88: Example of a revocation e-mail for revoking a certificate 5.2 Permanently revoking a personal certificate using the revocation e- mail In instances where several certificates have been issued for the e-mail address given, the revocation e-mail will list all relevant certificates that are still valid and give you the opportunity to individually select which certificates are to be revoked. To permanently revoke a certificate listed in the e-mail, click on the relevant link in the e-mail or copy it into the address bar in your browser (see Figure 89). Figure 89: Selecting a certificate you wish to revoke from the list provided in the revocation e-mail The link takes you to a special PKI Contacts web page that will lead you through the certificate revocation process (see Figure 90). Read through the text on the web page carefully, making sure you understand that Version 1.1 03.02.2017 71

Revoking a personal certificate regardless of whether the revocation takes place, you should not destroy the private key that goes with the certificate, as without it you will be unable to read i.e. decrypt e-mails that were encrypted for you using the certificate in question. For this reason you should if applicable retain a backup copy of your certificate along with its private key and keep it in a safe place (such as an external hard drive). Alternatively, both certificate and private key are still available in the certificate store of the browser you used to request the certificate in the first place. You can use the method described in Chapter 3 to export it from here. it is not possible to undo a revocation. If you realize after revoking a certificate that you need it after all, you will have to request a new (different) certificate. To revoke the certificate in question, please check the tick box by the selected certificate entry and click Revoke certificate (see Figure 90). Figure 90: Confirming the selection of a certificate that is to be revoked You will now receive a message informing you that the revocation was carried out and that a new revocation list will be published shortly (see Figure 91). You will also receive an automatic e-mail informing you that the revocation has taken place (see Figure 92). This successfully concludes the revocation process. Note: The revocation list containing the serial number of the certificate that has been revoked will appear on the PKI for Fraunhofer Contacts website no later than 30 minutes after a successful revocation. 72 03.02.2017 Version 1.1

Revoking a personal certificate Figure 91: Confirmation that your personal certificate has been revoked Figure 92: E-mail confirming that your personal certificate has been revoked Version 1.1 03.02.2017 73

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback